EU Data Protection Regulation: one step forward

After months of discussion, the LIBE Committee of the European Parliament voted on compromise amendments to the draft, General Data Protection Regulation on Monday 21st October 2013. These amendments will now feed into negotiations between Parliament, the Council of Ministers and the Commission. The vote of the LIBE committee is one more move towards adoption of the draft Regulation.

The main outcomes are:

Fines up to €100 million or 5% of annual worldwide turnover: MEPs propose: (i) a written warning (unintentional, first offences only), (ii) regular audits, and (iii) a fine of up to €100 million or 5% of annual worldwide turnover, whichever is greater (Article 79.2c).

Broad territorial scope confirmed: the amendments apply the Regulation to organisations outside the EU whenever they process personal data, in connection with provision of services to or monitoring, individuals in the EU. This will apply to both controllers and processors – so US cloud providers who host personal data of EU individuals will, in many cases, be directly subject to EU law – even when the cloud provider's clients are not themselves established in the EU (Art. 3(2)).

Additional definitions in Article 4: MEPs have not pursued the new concept of a “data producer” (suggested in an earlier draft). However, new terms are introduced: “pseudonymous data” (data that cannot be attributed to a specific individual without the use of data held strictly separately), “encrypted data”, “profiling”, “third party” and “genetic data”. The definition of “main establishment” is amended: for both controllers and processors this will be where the main decisions on personal data processing are taken.

The compromise amendments state that identifiers provided by devices, applications or other online tools will be regarded as personal data, unless they do not relate to an identified or identifiable person. RFID technologies are added to the list of relevant examples (Recital 24).

Legitimate interests remain a strong lawful basis for processing personal data: these can be overridden where processing does not meet individuals' reasonable expectations (Article 6). The Recitals suggest certain types of processing suitable for processing based on legitimate interests: (i) pseudonymous data (Recital 38), (ii) processing for enforcement of legal claims and to prevent or limit damages (Recital 39a), and (iii) for direct marketing purposes by post (Recital 39b).

Consent must be freely given: a service cannot be made conditional on a user giving consent to the processing of personal data that is not 'necessary' for the service (Article 7.4). As the provisions on profiling remain unclear, this may constrain ad-supported services.

Data formerly known as sensitive: this term is defined in Article 9. MEPs have expanded the definition to cover “gender identity” and a variety of sanctions (i.e. administrative or criminal) or suspected offences. Does the inclusion of gender identity mean that collection of basic CRM data (e.g. Mr/Ms) will be made more difficult? The compromise amendments also add two additional legal grounds for processing such special categories of data: (i) performance or execution of a contract, (ii) processing necessary for archiving purposes.

Data subject’s rights: there is a new Article 10a to summarise the different rights provided to data subjects. MEPs encourage data controllers to provide data subjects with direct access to their personal data via a secure system (Article 12.2), echoing “mydata” movements. Controllers are given 40 calendar days (against one month in the Commission text) to respond to data subject rights.

Icon based privacy notices: information must be provided in two ways: (i) in a yes/no icon based table (with prescribed icons such as a money bag with a € on it to indicate list rental) (new Article 13a); and (ii) in a detailed notice. MEPs have expanded the prescribed contents for the detailed notice.

MEPs displeased by PRISM and the like: various new provisions have been included : (i) Article 15 (hb) provides a data subject with the right to know if his personal data has been disclosed to a public authority at the authority's request, (ii) Article 43(a) prohibits the transfer of personal data required by a third country court decision or administrative authority if this is not compliant with a mutual legal assistance treaty or an international agreement, (iii) Article 44(h) (which provided exemptions for not frequent or massive data transfer) is now deleted, and (iv) Article 89 deletes Article 15 of Directive 2002/58/EC which authorises use of traffic and location data by public authorities i.a. for safeguarding national security and law enforcement activities.

A right to be forgotten rebranded: the “right to be forgotten and to erasure” becomes the “right to erasure" (Article 17). MEPs introduce a welcome limitation by providing that, instead of erasure, the data should be restricted where “the particular type of storage technology does not allow for erasure and has been installed before the entry into force of this Regulation” (Article 7.4.da).

Two sorts of profiling subject to different obligations: the European Parliament introduces a distinction between two sorts of profiling. The first leads to measures producing legal effects or significantly affecting the data subject. This is only possible: (i) if necessary for entering into/ performance of, a contract where there are suitable measures to safeguard the individual's legitimate interests, (ii) where expressly provided by EU/ member state law, or (iii) if based on the consent (Article 20.2). Other profiling activity (e.g. provision of content by a news website based on the country of origin of the internet user) is acceptable but a right to object must be highlighted. Profiling based on pseudonymous data falls into the second category – unless it can be attributed to a specific data subject, in which case the data is no longer pseudonymous. It is unclear how advertising-driven profiling would be treated.

Joint controllers: the European Parliament now provides that the “essence of the arrangement” between co-controllers shall be made available to the data subjects (Article 24). This aims to force controllers to define clearly who does and is responsible for what.

Amendments to data breach notification framework: Article 31 requires notification “without undue delay”. MEPs have also inserted a duty for supervisory authorities to maintain a public register of the types of breach notified (Article 31.4a). Questions remain as to (1) what will happen to the breach notification regime currently being discussed in the draft Cyber security Directive and (2) to providers of publicly available electronic communications services who remain subject to their specific procedures pursuant to European Regulation 611/2013 (i.e. notification within 24 hours after detection of a breach).

Data Protection Impact Assessment (“PIA”): the threshold for PIAs is extended via new Article 32a - e.g. processing of personal data relating to more than 5000 data subjects during any consecutive 12-month period. In certain cases, the data protection officer or the supervisory authority must be consulted (Article 34). PIAs must be repeated at least annually. 'LDPM' is likely to become the new data protection acronym, as PIAs are now part of a new Lifecycle Data Protection Management obligation (Article 33.1).

Data protection officer (“DPO”): the trigger for appointing a DPO will be the number of people whose data is processed (5000 data subjects in any consecutive 12-month period), not the number of personnel (original Commission approach) (Article 35.1.b). A DPO will have to be appointed if (i) special categories of data, (ii) location data, (iii) data relating to children, or (iv) employee data in large scale filing systems are processed (Article 35.1.d). There is a new 4 (employee) or 2 (contractor) year minimum term for the DPO (Article 34.7), a list of minimum qualifications (Recital 75a), and a duty of confidentiality (Article 36).

“European data protection seal”: Article 39 is redrafted to encourage companies to certify their data processing by a supervisory authority, possibly in cooperation with accredited third party auditors. Such certificate would be valid for up to 5 years. A public register of valid and invalid certificates will be maintained. To encourage certification, there are some incentives such as (i) offering a lawful basis for transferring the data if the accredited company is located in a third country (Article 42.2.aa), or (ii) not being subject to fines unless the breach is intentional or negligent.

Transfer to third countries: the criteria for assessing adequacy are altered. Pursuant to revised Article 41.8, existing adequacy decisions by the Commission are to expire 5 years after entry into force of the Regulation (unless amended, replaced, or repealed by the Commission before then). Authorisations granted by data protection authorities are subject to a 2 years sunset period (Article 42.5). Unfortunately, it seems that the same sunset period also applies to transfers based on standard contractual clauses and Binding Corporate Rules (both of which rely on authorisations under Art.26(2) of Directive 95/45).

Supervisory Authorities: the one-stop shop is replaced by a 'lead authority': the lead must consult all other competent authorities, take the utmost account of their opinions, and endeavour to reach a consensus (Article 54a). The EDPB will be involved if a consensus cannot be found and is given powers to impose decisions on individual authorities (Article 58a).

In addition to voting on amendments to the General Data Protection Regulation, MEPs also voted on amendments to the proposed Directive on data protection in the law enforcement sector.